What is Personally Identifiable Information, and What Does PII Include?

Today, protecting personal information is more important than ever. As we use different online platforms, we are constantly sharing information that can clearly identify us. That is why it's important to know how to protect PII.

What is Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is sensitive data that can identify an individual, including names, addresses, phone numbers, email addresses, social security numbers, passport numbers, driver's license numbers, and other similar information. The consequences of a data breach or leak of personal identifiable information (PII) can be severe, impacting both the individuals affected and the organizations storing their data. Therefore, businesses must take precautions when handling sensitive information about their customers or employees. In the context of computer systems and digital environments, PII covers any information that can identify a person and is crucial for maintaining privacy and security.

PII can be broadly categorized into two types:

1. Sensitive PII: This includes information that, if disclosed, could cause harm or embarrassment to an individual. Examples include Social Security numbers, financial information, health records, and biometric data.
2. Non-sensitive PII: This refers to information that is publicly available and less likely to cause harm if disclosed, such as names, addresses, and phone numbers. However, when combined with other data, even non-sensitive PII can become sensitive.

Types of Personally Identifiable Information

What is personal identifiable information(PII) data, then? Many types of PII fall under the category of PII data. The most common PII types are: Sensitive PII and Non-sensitive PII

Sensitive PII

Sensitive PII includes information that, if disclosed, could cause harm or embarrassment to an individual. Examples of sensitive PII encompass a wide range of data points:

• Social Security numbers
• Financial information
  • Credit card numbers
  • Bank account details
  • Tax records
• Health records
  • Medical histories
  • Diagnoses
  • Treatment plans
  • Insurance information
• Biometric data
  • Fingerprints
  • Facial recognition patterns
  • Retina scans

Non-sensitive PII

Non-sensitive PII refers to information that is publicly available and less likely to cause harm if disclosed. Examples of non-sensitive PII include:

• Names
• Addresses
• Phone numbers

It is important to note that even non-sensitive PII can become sensitive when combined with other data:

• Name and address linked with:
  • Birth dates
  • Employment information
  • Purchase history

In some situations, the date of birth might qualify as personal information if paired with another identifier, such as a name or address. Other examples include username and password combinations, medical record numbers, school ID numbers, bank account numbers, credit card account information, and biometric data, such as fingerprints or retina scans.

The Importance of PII

The importance of PII lies in its potential impact on both individuals and organizations. Here are some key reasons why PII is critical:

1. Privacy Protection: PII contains private information that individuals may not wish to be publicly accessible. Protecting PII ensures that personal details remain confidential and are only shared with authorized entities.
2. Identity Theft Prevention: One of the primary reasons for safeguarding PII is to prevent identity theft. When PII falls into the wrong hands, it can be used to impersonate individuals, leading to fraudulent activities such as opening bank accounts, applying for credit, or making unauthorized purchases.
3. Compliance with Regulations: Various laws and regulations, such as the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States, mandate the protection of PII. Organizations must comply with these regulations to avoid legal consequences and maintain their reputation.
4. Trust and Reputation: For businesses, protecting customers' PII is crucial for maintaining trust and credibility. Data breaches that compromise PII can lead to significant reputational damage and loss of customer confidence.
5. Operational Security: Protecting PII is also essential for the overall security of an organization's operations. Unauthorized access to PII can lead to broader security breaches, putting the organization's systems and data at risk.

Data Breaches Involving Personal Identifiable Information (PII)

There are many examples of data breaches compromising PII. In the last few years, we’ve seen massive data breaches from companies such as Yahoo, Equifax, and Verizon.

In 2016, Verizon acquired the assets of Yahoo and discovered that hackers had breached Yahoo's systems in 2013, stealing information associated with over 500 million accounts, including names, email addresses, telephone numbers, dates of birth, hashed passwords, and even unencrypted security questions and answers.

In 2017, credit reporting firm Equifax reported a data breach that affected over 145 million customers. The breach included PII such as names, addresses, SSNs, and even some driver’s license numbers.

In the same year, telecommunications giants Verizon and  AT&T reported breaches that affected over 14 million customers.

What Can Be Done to Protect Your PII?

There are many options businesses have when it comes to Personal Identifiable Information (PII) protection. As a business owner, you want to ensure access points are safe for employees and customers, your networks are secure, and each device allows individual access only.

Implement Strong Access Controls

Access controls are the gatekeepers of data. In other words, they are the systems and processes that determine who has permission to access which data. Access controls typically fall into two categories:

• Authentication - Authentication is confirming that someone is who they say they are. It often involves checking a person's username and password to ensure that the information is correct. Multi-Factor Authentication is critical to any access control system because it prevents unauthorized users from accessing data.
• Authorization - Authorization is determining what a person is allowed to do. It often includes determining a person's role and what systems they are allowed to access. An authorization system will prevent someone with a general role from accessing highly-specific data.

Implement Strong Network Controls

Network controls protect a company's IT infrastructure from both external and internal threats. External threats include hackers, spammers, and other cybercriminals attempting to infiltrate the network.

Employees who are either maliciously or inadvertently causing harm to the network are the most common cause of internal threats. Businesses need a firewall configured to allow only authorized traffic to enter the network to protect against external threats. Wireless networks should also be encrypted to prevent eavesdropping and other forms of interception.

Implement Strong Device Controls

There are several ways to protect data on individual devices such as laptops and smartphones. One way is to implement controls that prevent someone from connecting an unauthorized device to the network.

Another way is to encrypt all data on the device so no one can read it without the proper decryption key. Using multi-factor authentication also helps to ensure that the person using the device is the person who should be using it.